$300 tool can decrypt PGP, TrueCrypt files without a password

Russian company ElcomSoft today threw their grey hat firmly into the top-secret ring of internationally important security companies. Though the actual innovation is quite simple, the company today announced a $500 piece of hardware that could change the face of electronic security for some time to come.

For decades, the conventional wisdom has been that data can be secured. Though the Second World War was practically defined by the ongoing quest to achieve truly invulnerable communication, it took us until the early nineties to figure it out for the internet age: Phil Zimmerman’s Pretty Good Privacy (PGP). Since 1991, PGP has been the foundation of computer cryptography, and has spawned a number of successors and competitors like TrueCrypt and BitLocker. It was widely assumed to be unbreakable — and it is.

PGP has not been broken, but with their latest gadget ElcomSoft has brought an age-old loophole to the masses. As the company’s CEO Vladimir Katalov explains, their “hack” is a physical retrieval of the user’s private key – the one thing keeping their information secure – from some portion of the system’s RAM. Once the unit is powered down, the RAM is wiped, and the key is gone. As a result, simple vigilance is enough to close this loophole; the user simply has to power down their computer when not in use, and refuse to let the password be held in memory.

The RAM-scrubbing approach to password finding has been used by forensic examiners for years now, along with criminal hackers and (presumably) the covert sections of government. In the past, these invaders required significant expertise to build their own versions of ElcomSoft’s device. It was an expensive and meticulous process, and ElcomSoft has simply made it available to a much wider target audience.

It’s important to note that this is a mostly superfluous invention for ongoing monitoring of a target, since if the hacker can physically touch their adversary’s machine there are already several cheaper ways to keep watch. From keystroke-loggers to taps on monitor cables, it’s much easier to watch a person than it is to investigate their encrypted past. ElcomSoft’s latest release makes such trawling not just possible, but accessible to all.